Posts

#WeCyberToo: Cassandra Giddings, Security Engineer

Editor’s note: #WeCyberToo Talent Spotlights cover women of color in cyber so our daughters can see women who look like them thriving in the field.

Meet Cassandra Giddings /Information System Security Engineer

How did you end up in cyber security?

I got laid off from a job. After retiring from the military I was intent on finding a job that allowed me to do something TOTALLY different from what I had done in the military (Human Resources (HR). I accepted a job from BAE Systems that was doing something I had never heard of before (Earned Value Management (EVM)).

I thought that would be a great challenge and frankly I never thought I could be hired for a job that I didn’t know even existed and a company would pay to train me and then let me do the job 1-2 years later. Who knew?

It was the challenge I had expected and I performed the job for a little over 5 years. It was my first experience as a contractor and upon contract recompete -I was laid off.

That was a shock to my system on a few levels.

I had never been released from a job in my entire working life (of many years). I honestly did not know what to do. After the initial shock (which was quite a few days) wore off, I began to see the opportunity available to me.

I had enrolled in a Master’s program for Information Assurance at Capitol College and had completed only a couple of courses before I got laid off. I really only enrolled to ensure I utilized my GI Bill money that remained in my account.

Here’s a position I can build around- complete the MS and see what happens. I had no expectation but it could be a path to what was next for me.

What is the most difficult challenge you have faced as a woman in a male dominated field?

Being a woman in a male dominated field (IT) is not new for me after serving 26 years in the U. S. Marine Corps.

Being a black woman in a white male dominated area of work was not new to me. My Marine Corps experience prepared me for anything that the civilian world might throw at me.

However, my challenge in IT has been having to prove to men that you know and understand the more technical aspects of IT.

I had hoped I was done proving myself.

I was wrong.

Quite similarly, the men in IT are all not overly educated but entrenched in positions through tenure. This entrenchment requires a me to do a lot of listening and a lot of studying -not just to understand but to articulate to anyone on any level. I wouldn’t have it any other way.

I don’t just talk the talk. I walk the walk. I have earned everything I have achieved and want to be respected by my peers for my entire body of work as well as any achievements.

How did you overcome said challenge?

I face the challenge each day by continuing to stay on top of new technologies and staying hungry to keep learning. I learned to appreciate the value of a mentor.

I embraced humility and accepted that learning was going to be continuous to achieve the status I intended to reach. I consult with my mentor regularly and I keep abreast of the changing landscape of technologies in the cyber space.

A reader of Danyetta’s profile suggested asking future interviewees to share failures because those have a bigger impact than just feel good stories. Do you have a failure that you would like to share?

I honestly cannot think of a failure that I have experienced since joining the IT field. But I will tell you that my layoff from BAE Systems (initially) felt like a failure.

Although I had not done anything wrong to cause me to think of it as a failure, my definition of failure was to not be successful in something attempted. That was absolutely not the case. In retrospect, it was a total failure to not see the ax coming or to not understand why.

I had so much confidence in my how well I was doing my job that I did not bother to do any research on how contract work really ‘worked’.

I had no clue about what questions to ask regarding the contract or what to look for during a project to protect myself from the shock of a potential layoff.

I never dreamed a person who was doing their job well (from my perspective) would or could be basically fired. It was my wake-up call. It was a bitter pill to swallow for about a week.

I did learn years later that it was not my performance that caused me to be targeted in the reduction in force (RIF). It was an expected contract recompete (won by the incumbent-BAE) but with significantly reduced funding for personnel to perform the work. So personnel with labor rates that exceeded the new contract rates were identified for RIF.

News flash!!!

A six figure salary can be a detriment to continued employment if contract funding is reduced. My lesson was to pay attention and learn more about contracting in the government space related to “at-will” employment.

How did you turn that failure into an opportunity?

The RIF experience allowed me the time and space to rethink my strategy of how to get into the IT field and do the work in which I was really interested. After the shock wore off – I developed a 3 year project plan to obtain a job in IA at the same or greater annual salary as before the RIF.

I began by asking some professional colleagues about the pros/cons of career transitions for a >40 year old professional with a MS degree and no related experience. That was a comical series of conversations.

As you could imagine, the conversations ran the gamut. After sharing my 3 year plan I was strongly encouraged to revamp my plan because it would never work.

First, I was told I should embrace an inevitable pay cut to the tune of 50-60%.

Secondly, my prized MS didn’t carry any weight in the IT sector- especially with no hands on experience. It was referred to as a nice to have but it opened zero doors.

Lastly, my age would be prohibitive in affording me the opportunity to learn it from the help-desk through and up to the management level of IA.

I heard everything everyone told me and I set out to prove them wrong. I executed my very aggressive plan to perfection.

I started with acquiring a 3 month unpaid internship (with the assistance of a colleague), which provided me the hands on experience to get a help-desk position.

The help-desk position (at a 60% pay cut from my previous position at BAE Systems) was with a company that also had a small IA shop (my next goal) but was only a 7 minute commute from my home. Who knew?

In a little over 9 months into the help-desk position a complete shift occurred with contract positions and an opening was available in the IA shop. The company decided to promote from within and I got the chance to compete with other help-desk technicians for the open spot in the IA shop.

Nailed it!!

At this point I was well over a year ahead of my projected plan for obtaining a job in IA. What’s missing?

I leveraged the experience obtained in the small IA shop to get a shot at that “perfect project” for the recovery of the salary lost in the RIF.

That’s right!

In less than 2 years I reinvented my professional life to become closer to being an IA subject matter expert (SME).

I put my head down, put the work in, ignored all the naysayers, invested in myself (financially-went and got certifications at my expense-they were not cheap) and accomplished everything​ everyone said I could not {and more}.

I would not accept failure. Failure was not an option for me.

I viewed failed exams (yes, I failed a few along the way) as detailed preparation for a comeback. I went back to the grind and got it done. No one has ever asked me how many times I tested before I achieved certification success. They see the credential(s) and the entire body of work. That’s the goal- I want to be judged by my entire body of work.

What advice would you give someone looking to enter the information security field?

I would recommend anyone looking to enter information security to spend some time planning what you want to do and how you can accomplish your goals. The IT field is a pretty vast area of work.

Decide what part of IT is exciting to you and what is required to get that type of work. Be honest with yourself about if you are ready to commit to what is required If you are not ready to commit to the work – do all involved a favor – pick another area, please.

What formal education, skill sets, and/certifications do you recommend that people start with to stand out among other candidates in the cyber security field?

The right mix of formal academic education, IT (cyber) certifications and skill sets is a moving target at best. There are arguments on all sides of what is required, I guess this depends on who you ask.

I would submit that formal education is important, maybe not a primary requirement but it will distinguish the ability to reach any level of management.

Certifications are area specialty dependent.

Flexibility and willingness to remain committed to learning have been my most valued skill sets in staying viable and valuable in cyber security.

Can you give a brief “day in the life of” description of your role to help women that are coming into the field behind you understand what that kind of work entails?

As an Information System Security Engineer I support several different projects and systems. Organization is my best and closest friend.

I am fortunate enough to work on projects in various capacities (part security control assessor (SCA) work and information system security engineering (ISSE) work and part information system security representative/management (ISSR/ISSM).

I begin my days by checking with my immediate managers to ensure there are no fires to address. Without fires my days are planned by system/project.

I have projects that require me to assess system controls in preparation of accreditation packages. I also support projects that require me to collaborate with external stakeholders to keep projects focused on including security (up front) in the implementation of new projects.

Ultimately I support projects in order to attain and maintain system accreditations.

Why did you become a CISSP?

I love this question. Thank you for asking. Obtaining the CISSP was a part of my long term plan however, I realized very quickly (only 3 interviews in a year) upon venturing into the “get a job in Information Assurance (IA)” execution phase of my plan that I would need to modify my plan.

I had completed the MS program in IA and I thought I was well on my way to success. That six figure IA job and spiffy title were just an interview away. So that didn’t turn out at all the way I expected.

No one informed me that the IA area of work in which I wanted to specialize required more than the academic achievement of a MS degree.

Every interview I landed (without a CISSP) had an implied requirement or strong desire for the potential employee to have the “coveted” CISSP.

When I inquired about why it was so revered- the response I got is that the majority of most government contracts required this certification for the type and level of work I was interested in pursuing.

So if I intended to get past the “interview” phase of my plan I needed to get the CISSP.

Yes, it took me more than one attempt (ok 2 but who’s counting?). My persistence reigned supreme.

It was an absolute ”game changer​”.

Since I received the CISSP certification, my email is more unmanageable (recruiters and the like) and my phone is always out of voicemail (VM) space. VMs anywhere from 15-50 secs long from recruiters far and wide, 7 days a week.

The interest level of my skillsets and body of work is referred to as “ a good fit” for just about any XYZ job-in the IT cyber sector.

What project(s) are you most proud of?

I am most proud a job I accepted to specifically to undertake a massive system certification project. The best part is that I was able to land the job without a CISSP (in between exam attempts).

The hiring manager trusted my current work experience and desire to complete the project enough to hire me and groom me for the Project Lead position. I was fresh off a disappointing first attempt failure of the CISSP but I was not going to turn down the interview.

I immediately saw the vision of the project and it excited me to be considered to do the work. There were so many levels of dysfunction and ultimately so many ways to succeed with the completion of the project – I had to at least consider the opportunity.

The hiring manager and I shared a common trait that involved tackling difficult tasks and basking in the rewards of success. I was hired for the project and within 18 months success had been achieved.

To provide some scope to the project- imagine this? The project was presented as follows:

This system is in need of a massive overhaul. The current system has not been appropriately managed for 3-4 years. There is no asset management, no introduction of any security mechanisms and there needs to be a collapse of the current environment to provide continued support a 24/7 global operation.

The newly formed (funded) IA department consists of 2 junior level non-experienced persons (at the moment). Oh and there is a major CCRI inspection scheduled in 12-15 months.

That was a challenge I surely would never get again. It was an opportunity to get in at the beginning of the project and I had the chance to shape the team required to complete the project. It was the perfect project!

It also turned out that the job offer increased my pay by 100%. (no kidding).

Yes, I accepted the offer with a smile and an eagerness to roll my sleeves up and get to work.

Of course, over the 18 months I questioned my motives (it was an uphill challenge for sure) and frankly theirs (management buy-in was non-existent/forced) but as a team we got through the project, we passed the CCRI with a score >85%.

To be fair- the team we assembled did not achieve the certification of the system because of some unfortunate events (project de-scoping, loss of dedicated IA funding and reassignment of key IA personnel).

However I am confident the work we put in contributed significantly to the system attaining its certification only months after the team was dismantled for other higher organizational priorities.

Paying It Forward

My ‘give back’ project outside of work involves serving on the Board of Director’s for a non-profit organization in my community- UrbanEd.

The organization whose mission is to provide District of Columbia children, youth and adults with technology-driven education, information and skill development for sustained futures.

The instruction provides training that enables DC residents potential initial employment as Help Desk technicians and the ability to hopefully continue to grow and succeed in the IT field.

These jobs many times are the first glimpses of economic viability in their families. The confidence gained from being able to be financially solvent is an added bonus.

The board work was far more challenging than anything I could ever have imagined. While I no longer serve on the board I still support the organization and I respect anyone who serves the needs of their community.

I have also served several other organizations in DC by volunteering my time and talent to those organizations as a consultant, an Assistant Instructor for basic computer courses and a Computer Lab Monitor for a residential building computer lab for residents and others in the networked neighborhood in NW – Jubilee Housing.

Organizations like these do yeoman’s work to help the residents of DC bridge the gap in technology advances.

I am honored and proud to be associated with organizations of this stature. My success has been propelled and stabilized by the assistance of many others. I gain great satisfaction in giving back in any small way I can.

Is there anything other info you’d like to share that you feel would benefit our readers?

Mentorship is important. We should make room in our professional lives to consider mentoring. I think it is very important to do our part in this regard. I have been extremely fortunate in finding other professionals who lend me their assistance, mentorship and guidance. I believe that ‘giving back’ should include helping someone else achieve their goals in life.

Thank you for your service to our country and we really appreciate you taking the time to share your insights! How would you like readers to contact you?

I prefer to be contacted on LinkedIn.

About Cassandra Giddings

Cassandra Giddings is the President and CIO of OMO LLC. This is a Woman Owned Small Business (WOSB) and Service-Disabled Veteran Owned Small Business (SDVOSB) company created and in operation since 2006.

She currently works in the Cybersecurity sector of Information Technology with over 10 years of IT management experience ranging from Help desk Technician to Project/Program Management of IT Programs and Resources. She feeds her passion for IT by remaining current in technology trends and the effects of those trends.

She has volunteered with ByteBack, First Time Computers and Jubilee Housing as an Assistant IT instructor and resident Computer Lab monitor. She has over 6 years experience as a Systems Administrator working as a contractor for several government programs.

She holds a MS in Information Assurance from Capitol College in Laurel, MD; a MS in Human Resource Administration from Central Michigan University in Flint, MI; a BA in Women’s Studies from George Mason University in Fairfax, VA.

She has earned several IT certifications including the CISSP and recently added a CISSP concentration of ISSEP.

Editor’s note: Women of color were noticeably absent from most of the top women in cyber and top security bloggers lists in 2016 (and those released in 2017). I applaud the work of those who were celebrated because the recognition is certainly well-deserved.

However, I want to expose students in my demographic to women who look like them. They need to know that we are out here ready to help them navigate the complexities of this field.

I also want to create our own “Top Lists” to celebrate our accomplishments just in case future lists exclude us, inadvertently or otherwise.

Our stories connect us, and our daughters need to see people who look like them thriving in this high tech field. How else will they know we exist? How else will they know they are welcome?

We are not waiting any longer to be chosen. We are choosing ourselves as of February 2017 because gender diversity is not enough.